Malicious PDF — malware analysis report

Static analysis result for SHA-256 1ef0bb78efa5761a…

MALICIOUS

PDF

50.9 KB Created: 2020-10-26 15:00:46 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2020-12-26
MD5: 764ce2874081be2af0b2fc672c4ec0c6 SHA-1: f5187bc457c81c57cc5a647384bf82eb3088a529 SHA-256: 1ef0bb78efa5761a63ed34b891e931ac7da15908b3dc1c2cb5d5c0bc5651cb38
194 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/aws?keyword=pdf+comment+and+annotation+tools In PDF document text
    • https://jaxuwigoba.weebly.com/uploads/1/3/4/2/134266140/5542942.pdfIn PDF document text
    • https://kisogegexene.weebly.com/uploads/1/3/4/3/134374262/wupafaboxelofil.pdfIn PDF document text
    • https://regujume.weebly.com/uploads/1/3/4/3/134339948/5063150.pdfIn PDF document text
    • https://satobolusiv.weebly.com/uploads/1/3/1/3/131398412/ac1e7b346f228.pdfIn PDF document text
    • https://repugonajipivup.weebly.com/uploads/1/3/0/8/130814926/4877954.pdfIn PDF document text
    • https://jeponiruwapin.weebly.com/uploads/1/3/0/7/130776483/powuwenalapufaxusun.pdfIn PDF document text
    • https://widubemevojapo.weebly.com/uploads/1/3/4/3/134320166/xalexabotowukag.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4367281/normal_5f88634fd3aa5.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4380692/normal_5f91f95f8a565.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4376374/normal_5f8ebf0f477c2.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366965/normal_5f8865bd34b9e.pdfIn PDF document text
    • http://www.ascendercorp.com/In extracted file (font_00_sfnt_off00008869.bin)
    • http://www.ascendercorp.com/typedesigners.htmlIn extracted file (font_00_sfnt_off00008869.bin)
    • https://cdn.shopify.com/s/files/1/0433/8624/1189/files/84703272706.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0499/1336/4648/files/ben_10_benwolf_powers.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0498/2131/9323/files/zigolexakazarineb.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0476/5148/7910/files/rirovogomoserepanituvez.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/eec42faf-2d8b-4151-9903-c2ff0733e659/pirawug.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ba20cf46-2b08-4b6c-adb4-8abaa158afc7/vafowokipanobimajipikari.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4f19563b-03ab-426b-bd38-c49cbae17c94/runetasonutimubaf.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e9d36626-b26d-43f5-bf96-703ecf6cc791/67672155524.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3412f22d-1eab-4fda-8f11-61250ed0a8e9/43098104781.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0439/0728/5147/files/keeping_up_with_the_kardashians_season_16_episode_11_full_episode.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0496/6708/0343/files/wojekipiberomer.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0484/6845/9670/files/tejido_conjuntivo_hematopoyetico.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0502/3308/2014/files/pmegp_online_application.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn extracted file (font_00_sfnt_off00008869.bin)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008869.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8869 5072 bytes
SHA-256: 4b13743f8b883546da8e21e42a2b8942dfe36faa8b84d4d04cef1ad9def582f7
font_01_sfnt_off00009992.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x9992 10632 bytes
SHA-256: af4e28304a6ea087f7ddddeaf85dcd3a911de8943366e88482450464c5652105